Hi all,

yesterday I was going to try puppet on windows, so I fired up a Windows
7 VM, and just for curiosity, instead of joining it to the AD realm, i
decided to try the instructions outlined in the wiki to join the machine
to the IPA realm:

So I went with the instructions, on the windows Workstation.

ksetup /setdomain [REALM NAME]
ksetup /addkdc [REALM NAME] [kdc DNS name]
ksetup /addkpassword [REALM NAME] [kdc DNS name]
ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
ksetup /mapuser * *

Next, the instructions tell you to create Windows local users
corresponding to the IPA kerberos realm users, because you know,
kerberos only does authentication and it can tell nothing to the windows
workstation about the identity of the user... However, just for kicks, I
rebooted the VM and _without creating any local user_ I tried to login
with myuser@IPA.REALM … And it worked! It created a profile directory,
showed my full name on the start menu. Then I tried to browse the web
and SSO with squid worked like a charm, SSO with putty worked and I even
logged in to the IPA administration page with my ticket. 

But it wasn't supposed to work without creating a local user... why it
was working then?

Please notice this, the IPA realm has a trust with the AD realm, so
samba 4 is running on the IPA servers and every user in the IPA realm
has a SID assigned... and its ticket comes with a PAC, I think that is
the important part.

Finally, what worked and what don't:

      * I was able to login on Win 7 with an IPA user and having a local
        profile created automatically
      * I was able to perform SSO authentication with IPA services
      * I was able to add my IPA user to the "Administrators" group in
        windows, with the NET LOCALGROUP command.
      * I couldn't add the IPA "admins" group to the "Administrators"
        group. With "NET LOCALGROUP Administrators IPA\admins /add" it
        tells me that it doesn't recognise the IPA\admins group.
      * I couldn't add other IPA users to the Administrators group, only
        my logged in user. 
      * I can't add IPA users to group with the graphical administration
        tools, they won't show the IPA realm, only the NET command
        worked somehow

I'm investigating why Windows can't see IPA users and group other than
the currently logged in user, but I suspect that is simply because
Windows takes the logged in user SID from the PAC and it doesn't really
talk to samba4.

If one could add IPA groups to local Windows groups, combine that with
puppet policies, that would be the holy grail of system
administration :)

Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Freeipa-users mailing list

Reply via email to